Spring 14 is automatically enabling Clickjack protection on all non-setup pages. It's a critical update going live on Feb 9, 2014.
It seems that this update enables a same origin policy on the salesforce.com domain. I get that. What I don't know is whether an iframe on a force.com page that frames in a salesforce.com is supposed to be ok. As of now, it fails, but I am curious if that is a bug or by design.
Anyone know?
Best Answer
@scott,
Of course, IANASFE (I am not a salesforce employee) but it would seem to me, on the face of it, that the clickjacking protection would not allow a force.com page to iframe in a salesforce.com page.
Here's my reasoning and please, someone, shoot me down. Click-jacking is fundamentally a privilege-execution security issue where someone/thing with privilege is tricked into innocently taking an action that executes code with their privileges. Problem is, the X-Frames-Options header is a pretty crude brush to paint with. Last I looked, (few weeks ago) there were only three options: DENY, SAMEORIGIN and ALLOW-FROM. In theory, Allow-from is our golden goose. The catch is ... if your browser does not support this relatively new addition (here's the browser compatability breakdown: https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options), the site is left without any active click-jack protection.
That means the safe, and secure default for IE < 8, all versions of Chrome, FF < 18, and all versions of Safari (including mobile) isn't ALLOW-FROM -- it's not supported -- but rather SAMEORIGIN.